Problem hotspot with ECMP load balancing with masquerade

Hello All.

I been traying to use hotspot with http://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade

But when hotspot is enable the balancing fail.

How can i use together.

Thanks

Use PCC:
http://forum.mikrotik.com/t/loadbalancing-work-fine-but-with-hotspot/17200/11
http://wiki.mikrotik.com/wiki/Manual:PCC
http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)

Better for load balancing, and you get failover, where as with ECMP there is no failover at all. I also believe it solves a few problems that ECMP has with maintained connections. I have PCC working fine with hotspots at 80+ locations with no issues, there will probably be a few tweaks you may need to do to get it working just the way you want it for your networks though. But it is well documented in the Wiki and in the forums.

I did that, change PCC instead of ECMP, but the result was the same.

If I enable Hotspot the load balancing fail,

HELPPPPPPP

“/ip firewall export” wrapped in code brackets to make it more readable. Without that information we cannot supply help.

For good measure throw in:
/ip hotspot export
/ip address print detail
/ip route print detail

OK this is.

IP FIREWALL.
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” disabled=yes
in-interface=ether1-gateway
add action=drop chain=virus comment=RPC disabled=no dst-port=111 protocol=udp
add action=drop chain=virus comment=RPC disabled=no dst-port=111 protocol=tcp
add action=drop chain=virus comment=Ident disabled=no dst-port=113 protocol=
udp
add action=drop chain=virus comment=Ident disabled=no dst-port=113 protocol=
tcp
add action=drop chain=virus comment=DropMyDoom disabled=yes dst-port=1080
protocol=tcp
add action=drop chain=virus comment=Requester disabled=no dst-port=1363
protocol=tcp
add action=drop chain=virus comment=“Elimina "Sasser.b"” disabled=no
dst-port=5554 protocol=tcp
add action=drop chain=virus comment=“Elimina "Blaster Worn"” disabled=no
dst-port=135-139 protocol=tcp
add action=drop chain=virus comment=“” disabled=no protocol=tcp src-port=
135-139
add action=drop chain=virus comment=“Elimina "Elimina Messenger Worn"”
disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“” disabled=no protocol=udp src-port=
135-139
add action=drop chain=virus comment=“Elimina Blaster Worn” disabled=no
protocol=udp src-port=445
add action=drop chain=virus comment=“” disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment=“-- Virus” disabled=no dst-port=1024-1030
protocol=tcp
add action=drop chain=virus comment=“Net Send Udp Msn PoPup” disabled=no
dst-port=1024-1030 protocol=udp
add action=drop chain=virus comment=Mydoom disabled=no dst-port=1080
protocol=tcp
add action=drop chain=virus comment=— disabled=no dst-port=1214 protocol=
tcp
add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364
protocol=tcp
add action=drop chain=virus comment=“ndm reuqester” disabled=no dst-port=1363
protocol=tcp
add action=drop chain=virus comment=“Ndm Server” disabled=no dst-port=1364
protocol=tcp
add action=drop chain=virus comment=WORN disabled=no dst-port=4444 protocol=
tcp
add action=drop chain=virus comment=Netbuss disabled=no dst-port=12345
protocol=tcp
add action=drop chain=virus comment=Rpc-Dcom disabled=no dst-port=135
protocol=tcp
add action=drop chain=virus comment=“Dabber AB” disabled=no dst-port=9898
protocol=tcp
add action=drop chain=virus comment=Netbuss disabled=no dst-port=3410
protocol=tcp
add action=drop chain=virus comment=Netbuss disabled=no dst-port=5554
protocol=tcp
add action=drop chain=virus comment=Netbuss disabled=no dst-port=1377
protocol=tcp
add action=drop chain=virus comment=8652-RPC disabled=no dst-port=8652
protocol=tcp
add action=drop chain=virus comment=Beagle.B disabled=no dst-port=8866
protocol=tcp
add action=drop chain=virus comment=Damaru.Y disabled=no dst-port=10000
protocol=tcp
add action=drop chain=virus comment=NetBus disabled=no dst-port=12345
protocol=tcp
add action=drop chain=virus comment=Kuang2 disabled=no dst-port=17300
protocol=tcp
add action=drop chain=virus comment=SubSeven disabled=no dst-port=27374
protocol=tcp
add action=drop chain=virus comment=PhatBot,GaoBot disabled=no dst-port=65506
protocol=tcp
add action=drop chain=virus comment=UpNp disabled=no dst-port=1900 protocol=
udp
add action=jump chain=forward comment=“” disabled=no jump-target=virus
add action=return chain=virus comment=“” disabled=no
add action=drop chain=forward comment=“” disabled=no p2p=all-p2p
/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether1-gateway new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether2-local new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=output comment=“” connection-mark=no-mark
disabled=no new-connection-mark=wan1 passthrough=yes
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=output comment=“” connection-mark=no-mark
disabled=no new-connection-mark=wan2 passthrough=yes
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output comment=“” connection-mark=wan1
disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=wan2
disabled=no new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local in-interface=ether3-local new-connection-mark=
wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local in-interface=ether3-local new-connection-mark=
wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=“” connection-mark=wan1
disabled=no in-interface=ether3-local new-routing-mark=to_wan1
passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=wan2
disabled=no in-interface=ether3-local new-routing-mark=to_wan2
passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether1-gateway
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether2-local
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5060-5082
protocol=tcp to-addresses=192.168.0.254 to-ports=5060-5080
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5060-5082
protocol=udp to-addresses=192.168.0.254 to-ports=5060-5080
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=10000-20000
protocol=udp to-addresses=192.168.0.254 to-ports=10000-20000
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8080
protocol=tcp to-addresses=192.168.0.254 to-ports=8080
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=9080
protocol=tcp to-addresses=192.168.0.20 to-ports=9080
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8082
protocol=tcp to-addresses=192.168.0.252 to-ports=8082
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8040
protocol=tcp to-addresses=192.168.0.240 to-ports=8040
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8041
protocol=tcp to-addresses=192.168.0.241 to-ports=8041
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8042
protocol=tcp to-addresses=192.168.0.242 to-ports=8042
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8043
protocol=tcp to-addresses=192.168.0.243 to-ports=8043
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8044
protocol=tcp to-addresses=192.168.0.244 to-ports=8044
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8045
protocol=tcp to-addresses=192.168.0.245 to-ports=8045
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8081
protocol=tcp to-addresses=192.168.0.253 to-ports=8081
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3389
protocol=tcp to-addresses=192.168.0.20 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3389
protocol=udp to-addresses=192.168.0.20 to-ports=3389
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.0.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip route
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=10.0.22.1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=10.0.12.1 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=10.0.22.1 scope=30 target-scope=10

/ip address
add address=192.168.0.1/24 broadcast=192.168.0.255 comment=“” disabled=no
interface=ether3-local network=192.168.0.0
add address=10.0.12.50/24 broadcast=10.0.12.255 comment=“” disabled=no
interface=ether1-gateway network=10.0.12.0
add address=10.0.22.59/24 broadcast=10.0.22.255 comment=“” disabled=no
interface=ether2-local network=10.0.22.0

Thanks ¡¡¡¡¡

First glance you are missing one part.

/ip firewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

This rule prevents packets from being processed against the hotspot after someone has been authorized on the network. Because of the way the hotspot works, this causes issues with PCC since everything is being redirected to the router for processing. As an alternative you can specify that in your mark connection rules by adding in “hotspot=auth” to them, but it’s easier to just have the NAT rule, and it makes it so people that are bypassed still get load balanced along with everyone else.

A couple of performance enhancements to your current mark-connection rules:

"connection-mark=no-mark connection-state=new"

Once a connection has a mark, there is no reason to continue to mark it again. Also these will prevent a connection mark from being overwritten, and causing other potential problems. I would also recommend setting “passthrough=no” on your mark-routing rules. No reason to keep processing a packet once it has a routing mark.

You are also missing these rules higher above your mark connection rules for the LAN.

add chain=prerouting dst-address=10.0.12.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=10.0.22.0/24  action=accept in-interface=LAN

This prevents load balancing from happening to the subsets on the WAN, witch will often cause problems if they aren’t there.

On a side note, these two rules are likely going to cause problems for the router and aren’t needed. Get rid of them:

add action=mark-connection chain=output comment="" connection-mark=no-mark \
	disabled=no new-connection-mark=wan1 passthrough=yes \
	per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=output comment="" connection-mark=no-mark \
	disabled=no new-connection-mark=wan2 passthrough=yes \
	per-connection-classifier=both-addresses:2/1

Are you doing transparent proxy at all? That also requires extra steps to get it all working correctly. Turn that off for now if you are until you get load balancing working, but the steps above should get you there I believe.